From b92465034420a9f8976d8490c3f9f79fb52e9635 Mon Sep 17 00:00:00 2001
From: Philip Gough <philip.p.gough@gmail.com>
Date: Wed, 19 Jan 2022 15:06:15 +0000
Subject: [PATCH] docs: Add details about security scanning of manifests and
 exceptions

---
 README.md        |  1 +
 docs/security.md | 11 +++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 docs/security.md

diff --git a/README.md b/README.md
index 03ef98db..e65bc809 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@ If you are migrating from `release-0.7` branch or earlier please read [what chan
   - [Customization Examples](#customization-examples)
   - [Minikube Example](#minikube-example)
   - [Continuous Delivery](#continuous-delivery)
+  - [Security](docs/security.md)
   - [Troubleshooting](#troubleshooting)
     - [Error retrieving kubelet metrics](#error-retrieving-kubelet-metrics)
       - [Authentication problem](#authentication-problem)
diff --git a/docs/security.md b/docs/security.md
new file mode 100644
index 00000000..0de52547
--- /dev/null
+++ b/docs/security.md
@@ -0,0 +1,11 @@
+## Security
+
+The manifests generated in this repository are subject to a security audit in CI via [kubescape](https://github.com/armosec/kubescape).
+The scan can be run locally via `make kubescape`.
+
+While we aim for best practices in terms of security by default, due to the nature of the project, we are required to make the exceptions in the following components:
+
+#### node-exporter
+* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet.
+* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
+* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
-- 
GitLab